CVE-2019-0316

SAP NetWeaver Process Integration, versions: SAP_XIESR: 7.20, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate user-controlled inputs, which allows an attacker possessing admin privileges to read and modify data from the victim’s browser, by injecting malicious scripts in certain servlets, which will be executed when the victim is tricked to click on those malicious links, resulting in reflected Cross Site Scripting vulnerability.

CVSS v3 4.8 MEDIUM
CVSS v2.0 3.5 LOW

4.8^/10

CVSS v3 : MEDIUM

Vector : AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Exploitability : 1.7 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://launchpad.support.sap.com/#/notes/2745917	Permissions Required Vendor Advisory
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sap:netweaver_process_integration:7.10:::::::*
	cpe:2.3:a:sap:netweaver_process_integration:7.11:::::::*
	cpe:2.3:a:sap:netweaver_process_integration:7.20:::::::*
	cpe:2.3:a:sap:netweaver_process_integration:7.30:::::::*
	cpe:2.3:a:sap:netweaver_process_integration:7.31:::::::*
	cpe:2.3:a:sap:netweaver_process_integration:7.40:::::::*
	cpe:2.3:a:sap:netweaver_process_integration:7.50:::::::*

History

No history.

Information

Published : 2019-06-14 19:29

Updated : 2023-12-10 12:59

NVD link : CVE-2019-0316

Mitre link : CVE-2019-0316

CVE.ORG link : CVE-2019-0316

JSON object : View

Products Affected

sap

netweaver_process_integration

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2019-0316", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.7}]}, "published": "2019-06-14T19:29:00.340", "references": [{"url": "https://launchpad.support.sap.com/#/notes/2745917", "tags": ["Permissions Required", "Vendor Advisory"], "source": "cna@sap.com"}, {"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242", "tags": ["Vendor Advisory"], "source": "cna@sap.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "SAP NetWeaver Process Integration, versions: SAP_XIESR: 7.20, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate user-controlled inputs, which allows an attacker possessing admin privileges to read and modify data from the victim\u2019s browser, by injecting malicious scripts in certain servlets, which will be executed when the victim is tricked to click on those malicious links, resulting in reflected Cross Site Scripting vulnerability."}, {"lang": "es", "value": "SAP NetWeaver Process Integration, versiones: SAP_XIESR: 7.20, SAP_XITOOL: 7.10 a 7.11, 7.30, 7.31, 7.40, 7.50, no valida suficientemente las entradas controladas por el usuario, lo que permite a un atacante que posee privilegios de administrador leer y modificar datos del navegador de la v\u00edctima , al inyectar scripts maliciosos en ciertos servlets, que se ejecutar\u00e1n cuando se enga\u00f1e a la v\u00edctima para que haga clic en esos enlaces maliciosos, lo que da como resultado una vulnerabilidad de Cross Site Scripting reflejada."}], "lastModified": "2020-02-10T21:48:48.353", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:netweaver_process_integration:7.10:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "75E83C25-D30B-4459-A1F1-DE7EC9FD46BE"}, {"criteria": "cpe:2.3:a:sap:netweaver_process_integration:7.11:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "900D10B0-B47B-46B0-A0A9-8E41660429DD"}, {"criteria": "cpe:2.3:a:sap:netweaver_process_integration:7.20:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D57CEB9D-5C06-4B3E-A36E-5B8689CA5657"}, {"criteria": "cpe:2.3:a:sap:netweaver_process_integration:7.30:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3062CE84-B6E2-40DE-B7B1-0752FC21BFAD"}, {"criteria": "cpe:2.3:a:sap:netweaver_process_integration:7.31:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "587D81FB-B2ED-4184-9258-A38A18B36DC5"}, {"criteria": "cpe:2.3:a:sap:netweaver_process_integration:7.40:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A325699D-6AB0-4BBC-A21C-A974FA1612DE"}, {"criteria": "cpe:2.3:a:sap:netweaver_process_integration:7.50:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2A3A3226-28D1-4B43-942B-F41BD340E746"}], "operator": "OR"}]}], "sourceIdentifier": "cna@sap.com"}